Dramatic Rise in Malware

Things are heating up on the spam and malware fronts, according to security researchers. This isn’t especially surprising. Things seem always to be heating up on the spam and malware fronts.

In the last year, however, the good guys won a couple of big battles against their black hat counterparts.

In February, for example, Microsoft Corp. obtained a court-ordered shutdown of almost 280 Internet domains associated with the Waledoc botnet. Waledoc itself used thousands of infected “zombie” computers to distribute its spam; these zombie systems communicated with master or “command” systems hosted in the blacklisted domains; turning off Internet access to these domains effectively turned off Waledoc, at least for the purposes of spamming.

The result, according to the spam and malware experts at Symantec Corp., was a significant decline in spam-borne malware, at least through the first five months of 2010. Spam levels were still high -- with spam volumes comprising almost 90 percent of all e-mail traffic -- but spam-borne malware levels (as a percentage of all spam) were historically low. The calm was almost eerie.

Until last month, however, when things took a turn -- for the worst.

Malware activity in June increased by as much as 400 percent relative to its previous yearly worst. The unavoidable upshot, Symantec researchers conclude, is that malware mongers have recovered from the loss of Waledoc. “[T]he delivery of malware [was] at the forefront of the June 2010 monthly spam landscape,” write researchers in Symantec’s State of Spam and Phishing monthly report.

“In 2010, Symantec had not observed malware levels above 3 percent of all spam, even on days when malware spam spiked. However, malware spam made up almost 12 percent of all spam on June 13th, and topped 5 percent on June 3 and June 15.”

Malware spiked even as spam traffic on the whole was down slightly (by just over 1 percent), sequentially, from the previous month.

The ugly truth is that spammers and malware mongers have plenty to work with. For example, researchers recently remarked an uptick in World Cup-related spam.

Not surprisingly, some crackers are using the World Cup -- or World Cup-related themes -- to perpetrate malware attacks. One such effort targeted Brazilian chemical, manufacturing, and financial services companies, according to Symantec subsidiary MessageLabs, which specializes in e-mail security.

This attack used both an infected PDF file and a malicious link embedded in the e-mail message. (The link was likewise embedded in a clickable image -- that of a FIFA soccer ball.) "The inclusion of two methods of attack means that even if the PDF is removed as suspicious by an anti-virus gateway, the malicious link remains in the body of the e-mail and may still be delivered to the recipient. This is because many e-mail filtering systems are configured to simply remove or clean viral attachments, and will often allow the 'cleaned' e-mail to be delivered to the recipient, in this case with the malicious link still intact,” write MessageLabs researchers. At least one other World Cup-related attack uses Javascript to conceal destination Web sites, according to MessageLabs.

Quite aside from malware, this year’s spate of World Cup-related spam is far outpacing that of 2006, according to Symantec’s report, which notes that “the volume of messages with World Cup keywords in the subject line is more than 9 times higher now than compared to that of 2006.”